Threat Research

Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed – ASEC BLOG

Securonix

The Kimsuky threat group (North Korea-linked) continues spear-phishing campaigns against defense and government sectors, using AppleSeed/AlphaSeed alongside other tools to control infected systems. Recent operations show a shift toward LNK- and JavaScript-based delivery, with Chrome Remote Desktop and HVNC/TinyNuke components used for remote access. hashtags: #Kimsuky #AppleSeed #AlphaSeed #Meterpreter #TinyNuke #HVNC #RDP #ChromeRemoteDesktop

Keypoints

  • The Kimsuky group, active since 2013 and linked to North Korea, targets defense, energy, media, diplomacy, national organizations, and academia with spear-phishing to steal internal information.
  • Recent campaigns favor shortcut-type malware in LNK format, with JavaScript dropper delivery and ongoing use of AppleSeed alongside Excel macro malware.
  • AppleSeed is a backdoor that can receive commands, download more malware, log keys, take screenshots, and exfiltrate files.
  • AlphaSeed is a Go-based malware that communicates with C2 via ChromeDP and sometimes logs in using cookies instead of credentials; it is often deployed with AppleSeed.
  • Meterpreter backdoors (self-developed in newer variants) are used to control infected systems, evolving from Golang to C++-based implementations.
  • VNC-related capabilities (TightVNC and HVNC via TinyNuke) enable remote control, with HVNC verification strings and reuse across actors.
  • Chrome Remote Desktop has been observed as a remote-access method beyond RDP; user awareness and patching remain essential defenses.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing to deliver malware via email attachments; “The group usually launches spear phishing attacks against national defense, defense industries, media, diplomacy, national organizations, and academic sectors.”
  • [T1059.007] JavaScript – Dropper-based delivery; “The JavaScript dropper is responsible for installing AppleSeed while simultaneously creating and opening document files such as HWP and PDF.”
  • [T1117] Regsvr32 – DLL installation via Regsvr32; “AppleSeed checks this argument and proceeds with installation only when it matches a certain string; otherwise, it deletes itself.”
  • [T1071.001] Web Protocols – C2 over HTTP or email; “AppleSeed generally used the HTTP protocol or email (SMTP and IMAPS).”
  • [T1005] Data from Local System – Information theft by collecting files and sending them; “and sending them.”
  • [T1113] Screen Capture – Taking screenshots as part of data collection.
  • [T1497] Sandbox Evasion – Argument checks to avoid sandbox; “checks the arguments upon malware execution” and self-deletes if not matching.

Indicators of Compromise

  • [MD5] AppleSeed-related backdoors – db5fc5cf50f8c1e19141eb238e57658c, 6a968fd1608bca7255c329a0701dbf58, cafc26b215550521a12b38de38fa802b
  • [File path] AppleSeed installation paths – %APPDATA%AbodeServiceAdobeService.dll, %APPDATA%FoxitReaderServiceFoxitReaderUpdate.db
  • [File name] AppleSeed/AlphaSeed dropper and backdoors – AbodeServiceAdobeService.dll, FoxitReaderUpdate.db
  • [File] AlphaSeed/setting and Meterpreter artifacts – (%USERPROFILE%.edgeedgemgmt.dat), (%PROGRAMDATA%setting.dat)
  • [URL] C2 domains – hxxp://bitburny.kro[.]kr/aha/, hxxp://bitthum.kro[.]kr/hu/
  • [IP] Command-and-Control IPs – 104.168.145[.]83:993, 159.100.6[.]137:993, 38.110.1[.]69:993, 107.148.71[.]88:993

Read more: https://asec.ahnlab.com/en/60054/